IPSec tunnel and policy NAT question
Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10 (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!
Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside
Similar Messages
-
IPSec Tunnel and Making Changes While Up
My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
HTH
Rick -
ASA IPsec Remote Access VPN | NAT Question
We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
IPSEC tunnel and Routing protocols Support
Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
OSPF config A side
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B Side Config
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is subnetted, 2 subnets
O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is subnetted, 1 subnets
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thanks
MaheshHello,
I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
U can configure in 2 ways [ and multicast WILL work over it]
1- GRE over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunne protection ipsec profile tp
We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
Pros:
We can as well transport IPV6 or CDP
Cons:
4 bytes of overhead due to GRE
2- IP over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunnel mode ipsec ipv4
tunne protection ipsec profile tp
This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
Pro:
4 bytes overhead less than GRE over IPSEC
Cons:
Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
Cheers
Olivier -
Cisco Nexus 5ks EIGRP and Policy routing question.
We just got installed a METRO LINK between our primary and secondary data center (Site-A <> Site-B) I would like to be able to route data replication between these two sites over that link, instead of going over MPLS. We run EIGRP internally and BGP to the MPLS (typical scenario)
At first I thought about doing ‘Policy Based Routing’ with IP SLA to be able to track and route traffic coming from the 10.10.10.0/24 bound to 10.11.11.0/24 and track link state with IP SLA in case the metro link would go down; data replication would continue to flow over MPLS.
In researching this, I found out that Cisco NX-5ks and 6Ks don’t support IP SLA and there is no telling if they will support it any time in future releases either.
I haven’t turned on routing (EIGRP) between the two 5ks over the metro link yet.
Also, I don’t want to statically route replication traffic over the link unless I have to. It would have to be a manual change in case I need to re-route it over the MPLS.
See attached drawing
Any help would be greatly appreciated.
Marramix01can you calculate the metrics of the two different links for EIGRP?
Once you have that you would know which one EIGRP would say is the best path. Then if the MPLS link is not the primary path then you can use Offset-list to force the traffic to and from subnets and still have failover with EIGRP.
I hope I understood your problem correctly. -
NAT of overlapping network through IPSEC tunnel
I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.
Because there is network overlap between sites I have added a NAT on the router as follows:
1) A NAT pool of 254 172.17.20.x addresses.
2) An access list permiting traffic to the hosts on the other side of the tunnel.
3) A NAT source statement using the above ACL and pool.
The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.
However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/
Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?Refer to PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml -
We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
2 devices are
Airport Extreme
Cisco - DPC3825
I was just upgrarding firmware and I get this message.
Problem 1/1 - Double Nat
Screenshot attached of error
So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
Appreciate the help on this.You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
That....is a virtual guarantee that you will have multiple conflicts on the network. -
IPSec Tunnel (reform) examples
Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
Thanks.This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
A simple single-node remote access case would look like the following.
Assume:
C == client's external-network IP address
S == server's external-network IP address
c == client's internal IP address
s == server's internal-network IP address
On the server side:
Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
ifconfig ip.tun0 plumb s c tsrc S tdst C
Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
# When the "tunnel" keyword is present, inner-addresses are the selectors.
{tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
Then bring the tunnel up:
ifconfig ip.tun0 up
I assume you have IKE properly configured between S and C.
On the client side, it's pretty much the same but with local/remote or src/dst reversed:
ifconfig ip.tun0 plumb c s tsrc C tdst S
then feed this into ipsecconf(1M):
{ tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
and finally:
ifconfig ip.tun0 up.
The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
Hope this helps,
Dan
Edited by: danmcd on Sep 18, 2007 2:27 PM -
VLAN's over Internet/IPSec Tunnel
Hi All !
I have a problem.
I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
but my difficulty now is in getting them sent to the HQ over the internet.
I have thought about only 2 ways of possibly being able to do this
1. Get a leased Line :-)
2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
What equipment would I need ? (more switches/routers)
Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
Can someone please help.You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
HTH
Rick -
IPSEC Tunnel vs IKE Tunnel?
I am running ASDM 5.1 and PIX 7.1(1)
When I look in the gui it always reports a different number for IPSEC Tunnels and IKE Tunnels, I didn't know that there was a difference? For example right now it is reporting, 45 IKE Tunnels and 53 IPSEC Tunnels. What does this mean?
Thanks :)They are not the same. 45 IKE Tunnels represents how tunnels are established with peers. 53 ipsec Tunnels represents how many sessions are being encrpted amongst those peers.
HTH -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
IPSEC tunnel with NAT and NetMeeting
I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html -
Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
BrianHi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
Direct Access 2012 R2 - Problems with Force Tunneling and other questions
I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients.
Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
1. When I enable Force Tunneling the clients no longer are able to access the external internet. Is there anything I need to add to make this work?
2. I am having trouble with our Remote Desktop Session Hosts. I can only assume it has something to do with the DNS as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
Contoso.com domain (RDWA etc). DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup. Should I add the external contoso.com Name Suffix in there too?
3. I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA. Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
setup. Does that list allow those servers to access the DA clients?Hi,
Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
internet again.
RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
Maybe you are looking for
-
HT1420 i just activated a new computer and none of my songs will play and i dont know why
I just activated a new computer and noneof my songs will play
-
The disc inserted does not have enough free space
I created a disk image about 451 MB, it an Audio Disk. When I try to write the image to a blank Memorex CD-R 700 MB I get the message: "The disc inserted does not have enough free space". When I created the image I used the disk utility and followed
-
Having problems with Labview 7.0 after installing Windows XP Pro
After updating Windows XP Pro from Windows 98, my programs give me the following error: The procedure entry point SUnMapLS_IP_EBP_12 could not be located in the dynamic link library KERNEL32.dll I tried reinstalling Labview 7.0, but to no avail.
-
Exporting Audio from MPEG2 to any other format
I recently puyrchased myTV.PVR. It saves digitized video clips to MPEG2. After purchasing Quicktime's MPEG2 Converter, I can now open the files in Quicktime Pro 7. BUT... when I export, and to any other form, MPEG4, DV, etc... there is NO audio track
-
Regarding userexit for tcode me51
Hi All, I Have requirement for tcode me51 in that one screennumber is 505,inthat twofields are there EKBN-SAKTO,COBL-KOSTL I i need to print text for that twofields,G/L account field text and costcnter field text,can any one help me any screenexit i